Anonymous

Buzzfeed today revealed a key detail behind in the Matthew DeHart case: the content of the file which DeHart believes explains the government’s pursuit of him. In addition to details of CIA’s role in drone-targeting and some ag company’s role in killing 13,000 people, DeHart claims a document dropped onto his Tor server included details of FBI’s investigation into CIA’s possible role in the anthrax attack.

According to Matt, he was sitting at his computer at home in September 2009 when he received an urgent message from a friend. A suspicious unencrypted folder of files had just been uploaded anonymously to the Shell. When Matt opened the folder, he was startled to find documents detailing the CIA’s role in assigning strike targets for drones at the 181st.

Matt says he thought of his fellow airmen, some of whom knew about the Shell. “I’m not going to say who I think it was, but there was a lot of dissatisfaction in my unit about cooperating with the CIA,” he says. Intelligence analysts with the proper clearance (such as Manning and others) had access to a deep trove of sensitive data on the Secret Internet Protocol Router Network, or SIPRNet, the classified computer network used by both the Defense and State departments.

As Matt read through the file, he says, he discovered even more incendiary material among the 300-odd pages of slides, documents, and handwritten notes. One folder contained what appeared to be internal documents from an agrochemical company expressing culpability for more than 13,000 deaths related to genetically modified organisms. There was also what appeared to be internal documents from the FBI, field notes on the bureau’s investigation into the worst biological attack in U.S. history: the anthrax-laced letters that killed five Americans and sickened 17 others shortly after Sept. 11.

Though the attacks were officially blamed on a government scientist who committed suicide after he was identified as a suspect, Matt says the documents on the Shell tell a far different story. It had already been revealed that the U.S. Army produced the Ames strain of anthrax — the same strain used in the Amerithrax attacks — at the Dugway Proving Ground in Utah. But the report built the case that the CIA was behind the attacks as part of an operation to fuel public terror and build support for the Iraq War.

Despite his intelligence training, Matt was no expert in government files, but this one, he insists, featured all the hallmarks of a legitimate document: the ponderous length, the bureaucratic nomenclature, the monotonous accumulation of detail. If it wasn’t the real thing, Matt thought, it was a remarkably sophisticated hoax. (The FBI declined requests for comment.)

Afraid of the repercussions of having seen the folder of files, Matt panicked, he claims, and deleted it from the server. But he says he kept screenshots of the dozen or so pages of the document that specifically related to the FBI investigation and the agrochemical matter, along with chat logs and passwords for the Shell, on two IronKey thumb drives, which he hid inside his gun case for safekeeping.

Is it possible DOJ would really go after DeHart for having seen and retaining part of that FBI file?

For what it’s worth, I think Bruce Ivins could not have been the sole culprit and it’s unlikely he was the culprit at all. I believe the possibility that a CIA-related entity, especially a contractor or an alumni, had a role in the anthrax attack to be possible. In my opinion, Batelle Labs in Ohio are the most likely source of the anthrax, not least because they’re close enough to New Jersey to have launched the attacks, but because — in addition to dismissing potential matches to the actual anthrax through a bunch of smoke (only looking for lone wolves) and mirrors (ignoring four of the potentially responsive samples) — Batelle did have a responsive sample of the anthrax. Though as a recently GAO report made clear, FBI didn’t even sample all the labs that had potentially responsive samples, so perhaps one of those labs should be considered a more likely source. Batelle does work for the CIA and just about everyone else, so if Batelle were involved, CIA involvement couldn’t be ruled out.

So I think it quite possible that FBI was investigating CIA or someone related to CIA in the attack. It’s quite possible, too, that someone might want to leak that information, as it has been clear for years that at least some in FBI were not really all that interested in solving the crime. Even the timing would make sense, coming as it would have in the wake of the FBI’s use of the Ivins suicide to stop looking for a culprit and even as the Obama Administration was beginning to hint it wasn’t all that interested in reviewing FBI’s investigation.

But there’s something odd about how this was allegedly leaked.

According to Buzzfeed, the anthrax investigation came in one unencrypted folder with the ag document and a document on drone targeting the source of which he thinks he knows (it would like have been a former colleague from the ANG).

How would it ever be possible that the same person would have access to all three of those things? While it’s possible the ag admission ended up in the government, even a DOJ investigation into such an admission would be in a different place than the FBI anthrax investigation, and both should be inaccessible to the ANG people working on SIPRNet.

That is, this feels like the Laptop of Death, which included all the documents you’d want to argue that Iran had an active and advanced nuclear weapons program, but which almost certainly would never all end up on the same laptop at the same time.

This raises the possibility that the Wikileaks.org Web site could be used to post fabricated information; to post misinformation, disinformation, and propaganda; or to conduct perception management and influence operations designed to convey a negative message to those who view or retrieve information from the Web site

That is, given how unlikely it would be to find these juicy subjects all together in one folder, I do wonder whether they’re all authentic (though DeHart would presumably be able to assess the authenticity of the drone targeting documents).

And DeHart no longer has the documents in question — Canada hasn’t given them back.

Paul told the agents that his family had evidence to back up their account: court documents, medical records, and affidavits — along with the leaked FBI document Matt had found that exposed an explosive secret. It was all on two encrypted thumb drives, which Matt later pulled off a lanyard around his neck and handed to the guards.

[snip]

If Matt is, in fact, wrongly accused, answers could be on the thumb drives taken by the Canada Border Services Agency, which have yet to be returned to the DeHarts. But without access to the leaked files Matt claims to have seen, there is no way to verify whether he was actually in possession of them, and, if he was, whether they’re authentic.

Though at least one person (a friend in London? Any association with WikiLeaks?) may have a copy.

Inside a hotel room in Monterrey, Mexico, Matt says he copied the Shell files onto a handful of thumb drives. He mailed one to a friend outside London, and several others to locations he refuses to disclose. He also says he sent one to himself in care of his grandmother, which he later retrieved for himself. When the subject of the drives comes up, Matt acts circumspect because, he says, he knows that our communications are being monitored.

There’s definitely something funky about this story. Importantly, it’s not just DeHart and his family that are acting like something’s funky — the government is too.

But that doesn’t necessarily mean the FBI thinks CIA did the anthrax attack.

There’s a subtle point that deserves more attention: GCHQ presented the underlying Powerpoint to NSA’s SIGDEV conference.

The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder — and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

[snip]

In the presentation on hacktivism that was prepared for the 2012 SIGDEV conference, one official working for JTRIG described the techniques the unit used to disrupt the communications of Anonymous and identify individual hacktivists, including some involved in Operation Payback. Called “Pushing the Boundaries and Action Against Hacktivism,” the presentation lists Anonymous, Lulzsec and the Syrian Cyber Army among “Hacktivist Groups,” says the hacktivists’ targets include corporations and governments, and says their techniques include DDOS and data theft.

SIGDEV is NSA’s term for the agency’s efforts to develop new signals intelligence techniques and sources. Thus, GCHQ presented the attack as the cutting edge of what NSA does.

Goodie.

But remember: NSA’s SIGDEV analysts have access to raw data outside of normal channels. This shows up repeatedly in the primary orders for the dragnet. And, as Bart Gellman noted (and I elaborated on here), Obama specifically exempted these folks from his Presidential Policy Directive limiting our spying (though his PPD did say foreigners could be spied on for cybersecurity reasons).

In other words, the people GCHQ boasted of their attack on Anonymous to are the people who have some of the least oversight within NSA.

One reason I harped on the way Ken Dilanian referred to the “official position” that hacking other governments was acceptable was because I suspected the government does what NBC just reported they do: engage in hacking against other targets, in this case, hackers like Anonymous.

[A] division of Government Communications Headquarters Communications (GCHQ), the British counterpart of the NSA, shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attack – the same technique hackers use to take down bank, retail and government websites – making the British government the first Western government known to have conducted such an attack.

As I noted on Twitter, the report that GCHQ targeted Anonymous should raise questions (that have already been raised) whether either GCHQ or NSA was behind the DDoS attack on noted publishing site WikiLeaks in 2010.

So the NSA (and GCHQ) believe some hacks are legitimate and some are not. But in addition, both are effectively asserting that the state should have a monopoly on hacking, just as it asserts a monopoly on violence. As some of the people involved have been commenting on Twitter, they got charged for DDoSing, even as the Brits were engaging in precisely the same behavior. Particularly troubling, there’s no indication NSA or GCHQ believe they need warrants to exercise their monopoly on hacks against their own citizens (FBI has in the past gotten a warrant to bring down a botnet, so there is precedent).

Of course, therein lies part of the problem: that intelligence is bleeding into law enforcement, and the tools of inter-state spying are being wielded against criminals (and dissidents).

None of this is surprising. It arises directly out of the way the government has gone after terrorists, and this treatment of an IRC channel is directly parallel to the same kind of guilt by association used against terrorists.

As you may have heard, Anonymous and AntiSec hacked into a database of 12 million Apple Universal Device IDs that were in an FBI officer’s laptop and released 1 million of them, ostensibly so some people could identify if their device was one of those FBI was tracking.

They claimed to have tapped into a Dell laptop owned by Special Agent Christopher K. Stangl, an FBI cyber security expert. They downloaded several files, including one that contained “12,367,232 Apple iOS devices including Unique Device Identifiers (UDID)” and other personal information, they wrote in a text file published online. “[The] personal details fields referring to people appears many times empty leaving the whole list incompleted [sic] on many parts. no other file on the same folder makes mention about this list or its purpose.”

While it’s not immediately clear what the FBI is doing with the Apple UDIDs and detailed information on device owners, Gizmodo pointed out that the acronym “NCFTA” could stand for the National Cyber-Forensics & Training Alliance, a nonprofit that acts as an information-sharing gateway between private industry and law enforcement.

These are unique identifiers for things like iPhones and iPads that have long presented the risk of tying someone’s identity to an individual device.

There are multiple ways FBI could have collected this information–either using an NSL or Section 215 request or an insecure transmissions to an ad or game server. And no one knows how the FBI was using it. Whatever you think about Anonymous, we may finally learn more about how the government is tracking geolocation.

But here’s one other concern. Assuming that’s an official FBI database, not only the FBI has it, but also the National Counterterrorism Center. And they’ve got access to whatever federal databases they want to cross-check with existing counterterrorism databases. And one of the few checks we have on the use of our data in this way is a Privacy Act SCOTUS just watered down.

This is a massive amount of data the government likely has no good excuse for having collected, much less used. But it’s likely just one tip of a very big iceberg.

As I wrote in this post, I got interested in the provenance of a set of leaked Bashar al-Assad emails largely because of the way in which two of them were used to suggest, dubiously, Nir Rosen was an Assad agent.

The Guardian and Al Arabiya have both offered posts describing, in part, how they came by the emails, with the Guardian’s offering more details. The short version is:

March 15, 2011: Uprising escalates in Daraa.

Late March: “a young government worker in Damascus” handed off a slip of paper to a friend. The paper had four codes (plus or including the two email addresses, the Guardian is not clear) that would provide access to personal email accounts of Bashar al-Assad and his wife Asma. The friend was apparently supposed to pass them onto “a small group of exiled Syrians who would know what to do with them.”

June: “Two Syrian professionals in a Gulf state” obtain the emails. The Guardian doesn’t explain whether they were the original intended recipients, nor does it explain the delay. Though it does include a blurb describing their sudden awakening to politics that makes it clear the Guardian has spoken to at least one of the activists and replicated their self-narrative uncritically.

The uprising in the southern Syrian city of Deraa on 15 March had empowered them, as it had hundreds of thousands of others in the totalitarian state. They were now determined to do what they could to bring an end to more than four decades of rule by the Assad clan.

“It was clear who we were dealing with,” said one of the activists. “This was the president and his wife. There was no doubt.”

June to December: The emails are used with increasing frequency over time; Assad appears to build a PR strategy using them.

January: Anonymous (which had been infiltrated by the FBI since at least June, the same month the Syrian activists purportedly got the email codes) hacks Bashar al-Assad’s servers, accessing 78 different email accounts.

February 7: Anonymous releases the Assad emails which were published by Ha-aretz, claims the password was 12345. These are, at least in part, the very same emails being released today. Assad’s brother-in-law Firas al-Akhras emails him to tell him the inbox of the Ministry of Presidential Affairs had been leaked. All the emails are shut down.

March 15, 2012: The emails published.

In their narratives, neither the Guardian nor al Arabiya note that the FBI had been running Sabu since last June, precisely the same month the “activists” reportedly got the “secret codes” (12345?) that would allow them to access the Assad emails.

Now there are plenty of questions I have about this: Who was the mole, how did he or she get this information, who was the friend, what caused the 3-month delay. All of those questions, of course, are particularly interesting giving the coincidence of timing with the Sabu recruitment.

And why release these emails now? Just because of the one-year anniversary of Daraa, and the other events planned for the day?

Suffice it to say it feels a lot like outside entities–aside from whatever professionals-turned-activists purportedly monitored these accounts–were involved.

With that feeling in mind, two more details worth noting. First, al Arabiya’s story on how they got the emails focuses instead on what they didn’t publish: a bunch of “scandalous emails.”

Hundreds of “scandalous” emails were accordingly deleted by Al Arabiya.

By comparison, the Guardian said only it didn’t publish personal emails. Both sources, however, want people–perhaps including Assad?–to know that there were more emails that may be out there.

The other thing I find interesting is the detail the Guardian pays to Assad’s email habits.

[The Syrian activists in the Gulf state] soon noticed differences in the way the couple used their email accounts. “We had to be quick with Bashar’s emails,” one of the activists said. “He would delete most as soon as they arrived in his inbox, whereas his wife wouldn’t. So as soon as they went from unread to read we had to get them fast.”

Deleting emails as soon as they arrive shows a degree of awareness of web security. So too did the fact that Assad never attached his name or initials to any of the emails he sent. However, many of the emails that arrived in his inbox are addressed to him as president and contain intimate details of events and discussions that were not known outside of the inner sanctum and would have been very difficult to manipulate.

Even before I remembered that the same guy the Guardian claims was showing some web security used “12345” as his password, this entire passage sounded bogus, more like a way to provide cover for some other means to collect these emails that don’t involve more sophisticated wiretapping of packets, as opposed to email in-boxes.

But once you remember this is a guy who reportedly used “12345” as his password, then the entire claim Assad was practicing good security becomes laughable. Which makes this entire passage suspect.

There are two stories of how Bashar al-Assad got his emails hacked in the last year. In one version, Syrian activists managed to spy on their dictator in real time and are presumably releasing emails that lack a smoking gun (but did include “scandalous” emails) as a sort of anniversary present for Assad. The other story involves the FBI flipping at least one hacker and having him continue to hack at their command.

Something curious has happened in the last few days while I’ve been traveling. The Guardian and Al Arabiya have been publishing leaked emails from Bashar al-Assad and his wife, showing both to be callous assholes but not otherwise producing a smoking gun (though I do hope to return to what they show about how they evaded sanctions).

In the last day or so, attention has shifted to twoemails (here’s a translation of the first) between Assad aides and Assad, mentioning the journalist Nir Rosen. A number of people read them to suggest Rosen was an agent of Assad’s, perhaps even exposing other Western journalists who were sneaking into Syria.

I believe the trove of leaked emails from the Syrian government are indeed all real. The emails which contain my name are certainly real, I don’t mind saying. They are from people who were introduced to me and other western journalists as media and public relations advisers to the Syrian government or the president himself. They are the same people who arranged for the ABC News interview with Barbara Walters, for the Sunday Times interview with Bashar al Assad, for Agence France Presse, and for others to enter Syria. This is normal. How else does a journalist enter a country such as Syria?

And as this November email also shows, I forwarded them a link to a BBC program on Syria done by the heroic Paul Wood in order to try to persuade them that journalists are coming in anyway and they might as well let al Jazeera in formally.

Importantly, the fact that I had to send my resume and biography to establish my credentials for an interview bid with Assad and the very need for sending these things shows I was not an agent for them.

I suspect all sorts of people will continue to focus on Rosen.

If you haven’t been following his work, a number of people have pointed to Rosen as one of the very few people giving a nuanced picture of what is going on in Syria right now. As an example, in this Q&A he talks about the stalemate-degrading-into-civil-war Syria is in right now.

Only a “Hama” could change the equation. Nobody can say exactly what that would entail, because “Hama” has become an epithet, a symbol, it just means for something terrible to happen. So, until now there is no Hama-type event that the opposition or international media could use to give leaders in Turkey or the West a pretext for humanitarian intervention or to delegitimise the country’s leadership. Such an incident would have to be so grave that international opponents would use it to obliterate the Russian and Chinese veto in the United Nations, and to criminalise those two countries for their backing of the Syrian regime.

In any case, that’s the Nir Rosen background to the emails.

All of which led me to ask where the emails came from. I have no doubt they’re real (or at least most of them)–Rosen has confirmed the emails mentioning him appear to be real. Here’s the Guardian’s description of who did and did not confirm the authenticity of emails involving them.

But having the entire contents of one or two email inboxes is not the same as reliably understanding how they came to be obtained and published. That’s the question I’d like to look at in more detail in a follow-up post.

Back on February 3, I noted what I thought was the irony that, four days after FBI Director Robert Mueller bragged about FBI’s cybersecurity expertise–including its partnerships with counterparts overseas–Anonymous released an earlier hacked call between Scotland Yard and FBI.

Mueller: If I may interject, we have built up a substantial bit of expertise in this arena over a period of time, not only domestically but internationally. We have agents that are positioned overseas to work closely with–embedded with–our counterparts in a number of countries, and so we have, over a period of time, built up an expertise. That is not to say that NSA doesn’t have a substantial bit of expertise also, understanding where it’s located.

Mikulski: But it’s a different kind.

Mueller: Well, no, much of it is the same kind, much of it is the same kind, in terms of power, I think NSA has more power, in the sense of capabilities, but in terms of expertise, I would not sell ourselves short.

We now know that at the time of both the hack and Mueller’s comment, the FBI was running Hector Xavier Monsegur–Sabu–as a confidential informant–and the Scotland Yard call is one of the hacks they busted others for with his assistance last week.

In January 2012, O’CEARRBHAIL hacked into the personal e-mail account of an officer with Ireland’s national police service, the An Garda Siochana (the “Garda”). Because the Garda officer had forwarded work e-mails to a personal account, O’CEARRBHAIL learned information about how to access a conference call that the Garda, the FBI, and other law enforcement agencies were planning to hold on January 17, 2012 regarding international investigations of Anonymous and other hacking groups. O’CEARRBHAIL then accessed and secretly recorded the January 17 international law enforcement conference call, and then disseminated the illegally-obtained recording to others.

And meanwhile, all of the things Sabu was saying on his twitter account were closely monitored–if not written–by the FBI, including the comment about FBI’s informants, above, and the multiple “celebrations” of the Scotland Yard hack.

As you may have heard, Anonymous hacked into and released a conference call between the FBI and Scotland Yard discussing their efforts to crack down on the hackers’ group.

What makes the hack all the more ironic is its release comes just days after Robert Mueller bragged of the FBI’s cyber expertise at the Threat Assessment hearing on Tuesday (the actual call took place on January 17, which makes me wonder whether they have gotten subsequent calls as well). In response to MD (and therefore NSA’s) Senator Barbara Mikulski’s suggestion that the NSA was the only entity able to investigate cybercrime, Mueller insisted (after 2:01) the FBI can match the expertise of NSA. He even bragged about how important partnering with counterparts in other countries–like Scotland Yard–was to the FBI’s expertise.

Mueller: If I may interject, we have built up a substantial bit of expertise in this arena over a period of time, not only domestically but internationally. We have agents that are positioned overseas to work closely with–embedded with–our counterparts in a number of countries, and so we have, over a period of time, built up an expertise. That is not to say that NSA doesn’t have a substantial bit of expertise also, understanding where it’s located.

Mikulski: But it’s a different kind.

Mueller: Well, no, much of it is the same kind, much of it is the same kind, in terms of power, I think NSA has more power, in the sense of capabilities, but in terms of expertise, I would not sell ourselves short.

I don’t want to sell the FBI short or anything. But regardless of their expertise in investigating cybercrimes, it sure seems like they’ve got the same crappy security the rest of the Federal government has.

There’s something hysterical about the promise a Quantico spokesperson made that DOD would take any threats to its IT networks–in this case, threats made by Anonymous–seriously.

A Quantico spokesman, Lieutenant Agustin Solivan, said officials had referred the matter to law enforcement and counter-intelligence agencies. “We are aware of the threat and any threats to defence department information systems and networks are taken seriously,” he said. “The intent or stating that you are going to commit a crime is a crime in itself,” he added.

You see, back in 2008, DOD got badly hit by malware introduced via a thumb drive or some other removable media. And in response, DOD instituted measures that–it said–would clear up the problem.

The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they’ve suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further.

The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to “floppy disks,” is supposed to take effect “immediately.”

[snip]

Servicemembers are supposed to “cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware,” one e-mail notes.

Eventually, some government-approved drives will be allowed back under certain “mission-critical,” but unclassified, circumstances. “Personally owned or non-authorized devices” are “prohibited” from here on out.

In other words, back in 2008, an enemy force attacked DOD’s IT system using an embarrassing security vulnerability. In response DOD immediately banned all removable media. That ban was supposed to be permanent on classified networks like SIPRNet.

Just over one year later, a low-ranking intelligence analyst in Iraq brought in a Lady Gaga CD, inserted it into his computer attached to SPIRNet, and allegedly downloaded three huge databases of classified information.

Throughout the WikiLeaks scandal, DOD has been the functional equivalent of someone who, just weeks after getting cured of syphilis, went right back to his old ways and–surprise surprise!–got the clap, all the while denying he bore any responsibility for fucking around.

According to Bradley Manning’s description, there was a virtual orgy of IT security problems at his base in Iraq.

Incidentally, note that no one has been fired for having left SIPRNet open to the same vulnerability that had already been targeted in a hostile attack? It’s all Bradley Manning’s fault. Sure, DOD was fucking around. But it can’t be held responsible!

So now, weeks after HBGary emails made it clear that DOD and DOJ and CIA were already investigating Anonymous, they’re telling us they’re investigating. For real now.

And don’t you worry! Ain’t no way Anonymous can hurt them. Because they know how to defend against such threats.

Server logs and leaked emails reveal that employees at Hunton & Williams, the principal law firm of the U.S. Chamber of Commerce, spent 20 hours on SEIU websites last November while partners from the firm were working with private security firms on an illegal “dirty tricks” campaign aimed at undermining the credibility of the Chamber’s political opponents, including the Service Employees International Union (SEIU).

And of course SEIU is able to see precisely what H&W was looking at in that period: top H&W page views in 2010 include SEIU’s page on the Chamber and on big banks. People from H&W searched on individuals at SEIU as well as on SEIU’s organizing of protests outside of BoA’s General Counsel. They even searched on “hourly pay for SEIU organizers.” (Whatever that is, it’s less than Themis was going to charge for its paid trolls.)